Fixes for Lighttpd cipherlist and best practices.

DarkNet/Makefile

@@ -6,7 +6,7 @@ compile:
 	git -C /usr/local/src/tor-browser-en pull
 
 install: compile
-	cp tor-lynx /usr/local/bin
+	if [ `grep -c tor-lynx /etc/bash.bashrc` -lt 1 ]; then echo 'alias tor-lynx="torsocks lynx check.torproject.org"' >> /etc/bash.bashrc; fi
 	@echo 
 	@Optionally, install tor-browser-en from /usr/local/src/.
 

README

@@ -1,27 +1 @@
-# http://www.wtfpl.net/about/
-
-            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-                    Version 2, December 2004
-
- Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
-
- Everyone is permitted to copy and distribute verbatim or modified
- copies of this license document, and changing it is allowed as long
- as the name is changed.
-
-            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. You just DO WHAT THE FUCK YOU WANT TO.
-
-                        ANINIX ADDENDUM
-
- Trademark Pending 2017 (https://aninix.net/irc/)
- 
- The "AniNIX" name and |> logo is trademark-pending as of 2017. All
- AniNIX materials can be reproduced and re-used, though you must
- contact the admins of the network to get written permission to use
- the AniNIX name. 
-
- Attribution is appreciated for other materials but not legally
- required or necessary.
+Please note -- these scripts are provided to assist in re-installing services. They are not foolproof, and they do not include a PKGBUILD because they wrap existing software.

SSL/Makefile

@@ -1,4 +1,4 @@
-CERTROOT = "/etc/letsencrypt/live/aninix.net/"
+CERTROOT = /etc/letsencrypt/live/aninix.net
 INSTALLER != curl -s https://aninix.net/foundation/installer-test.bash | /bin/bash
 
 compile:
@@ -62,3 +62,6 @@ selfsigned: compile
 	cp ${CERTROOT}/chain.pem ${CERTROOT}/fullchain.pem
 	cat ${CERTROOT}/cert.pem >> ${CERTROOT}/fullchain.pem
 	make checkperm
+
+fingerprint: ${CERTROOT}/cert.pem
+	openssl x509 -noout -fingerprint -sha256 -inform pem -in ${CERTROOT}/cert.pem

WebServer/Makefile

@@ -31,7 +31,7 @@ reverse: /srv/http/aninix.net /etc/lighttpd
 	cp /etc/lighttpd/conf.d/fastcgi.conf .
 
 test:
-	lighttpd -t -f /etc/lighttpd/lighttpd.conf
+	lighttpd -tt -f /etc/lighttpd/lighttpd.conf
 
 checkperm: /srv/http/aninix.net/ /etc/lighttpd/
 	chmod -R 0755 /srv/http/aninix.net/

WebServer/head.php

@@ -5,10 +5,9 @@
 <link rel='apple-touch-icon' sizes='180x180' href='/AniNIX.png' />
 <meta name='apple-mobile-web-app-capable' content='yes' />
 <link rel="stylesheet" type="text/css" href="/style.css">
-<script src="/engine.js" type="text/javascript"></script>
 <script type="text/javascript">
 <?php 
-if ( $argv[2] == "photo" ) {
+if ( $argc > 2 && $argv[2] == "photo" ) {
    echo '<link rel="stylesheet" href="/css/basic.css" type="text/css" />
 <link rel="stylesheet" href="/css/galleriffic-2.css" type="text/css" />
 <script type="text/javascript" src="/js/jquery-1.3.2.js"></script>
@@ -37,9 +36,11 @@ _gaq.push(['_trackPageview']);
 <body>
 <!-- Begin dynamic navbar -->
 <ul id="navbar">
+<img src="/AniNIX.png" style="width:150px;right:150px;margin-left:auto;margin-right:auto;" />
+<li style="color:white;font-decoration:bold;font-size:2em;">AniNIX</li>
 <?php 
 $dir = opendir("/srv/http/aninix.net/pages");
-echo '<li><a href="/root.php">Root/</a></li>';
+echo '<li><a href="/index.php">Root/</a></li>';
 if ($dir) {
   while ($file=readdir($dir)) {
     $fileHandle = explode('.',$file);

WebServer/lighttpd.conf

@@ -1,13 +1,14 @@
-server.document-root = "/srv/http/"
-server.error-handler-404 = "/errors/404.php"
+server.document-root = "/srv/http/aninix.net/"
 server.port = 80
+server.error-handler-404 = "/srv/http/errors/404.html"
 server.errorlog = "/var/log/lighttpd/error.log"
 accesslog.filename = "/var/log/lighttpd/access.log"
 server.username = "http"
 server.groupname = "http"
 server.follow-symlink = "enable"
 static-file.exclude-extensions = ( ".fcgi", ".php", ".rb", "~", ".inc" )
-index-file.names = ( "index.html","index.php","root.php" )
+index-file.names = ( "index.html", "index.php" )
+# We aren't afraid to tag with our patch cycle.
 server.tag                 = "AniNIX WebServer (powered by ShadowArch Linux and lighttpd)"
 url.access-deny             = ( "~", ".inc", ".." )
 server.modules              = (
@@ -18,20 +19,9 @@ server.modules              = (
                                 "mod_accesslog",
                                 "mod_auth",
                                 "mod_proxy",
+                                "mod_setenv",
 )
 
-# Includes
-include "conf.d/*.conf"
-
-# Authorization
-auth.backend = "htdigest"
-auth.backend.ldap.hostname = "localhost"
-auth.backend.ldap.base-dn = "ou=People,dc=aninix,dc=net"
-auth.backend.ldap.allow-empty-pw = "disable"
-
-# Enable SSL by virtual host
-# Redirects for empty virtualhosting.
-
 ## AniNIX::WebServer
 # Deny HTTP
 $HTTP["scheme"] == "http" {
@@ -39,22 +29,31 @@ $HTTP["scheme"] == "http" {
         url.redirect  = ( ".*" => "https://%0$0" )
     }
 }
-# Allow HTTPS
+
+# Adding notes from https://cipherli.st/ on response headers and HSTS
+setenv.add-response-header = (
+    "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
+    "X-Frame-Options" => "DENY",
+    "X-Content-Type-Options" => "nosniff"
+)
+
+# Use HTTPS through Virtual Hosting.
+# Redirects for empty virtualhosting.
 $SERVER["socket"] == ":443" {
     ssl.engine = "enable"
-    ssl.use-sslv2 = "disable"
-    ssl.use-sslv3 = "disable"
-    ssl.disable-client-renegotiation = "enable"
-    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
     ssl.pemfile = "/etc/letsencrypt/live/aninix.net/certkey.pem"
     ssl.ca-file = "/etc/letsencrypt/live/aninix.net/fullchain.pem"
+    ssl.honor-cipher-order = "enable"
+    # Including cipher list from https://www.ssllabs.com/projects/best-practices/index.html (Modified)
+    ssl.cipher-list = "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
     ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
-    ssl.ec-curve = "secp384r1"
+    ssl.use-sslv2 = "disable"
+    ssl.use-sslv3 = "disable"
+    ssl.disable-client-renegotiation = "enable"
     # Virtual hosting for aninix.net
     $HTTP["host"] =~ "(^|www\.)aninix\.net$" {
-    server.document-root = "/srv/http/aninix.net/"
-    
-   }
+        server.document-root = "/srv/http/aninix.net/"
+    }
 }
 
 #Define mimetypes.
@@ -116,8 +115,8 @@ mimetype.assign             = (
 #### auth module
 ## read authentication.txt for more info
 #auth.backend               = "plain"
-#auth.backend.plain.userfile = "lighttpd.user"
-#auth.backend.plain.groupfile = "lighttpd.group"
+#auth.backend.plain.userfile = "user.lighttpd.conf"
+#auth.backend.plain.groupfile = "group.lighttpd.conf"
 #auth.backend.ldap.hostname = "localhost"
 #auth.backend.ldap.base-dn  = "dc=my-domain,dc=com"
 #auth.backend.ldap.filter   = "(uid=$)"
@@ -138,6 +137,7 @@ mimetype.assign             = (
 
 
 ### Unused modules ###
+
 #                               "mod_trigger_b4_dl",
 #                                "mod_auth",
 #                               "mod_status",
@@ -150,7 +150,7 @@ mimetype.assign             = (
 #                               "mod_simple_vhost",
 #                               "mod_evhost",
 #                               "mod_userdir",
-#                               "mod_fastcgi",
+#                "mod_fastcgi",
 #                               "mod_compress",
 #                               "mod_ssi",
 #                               "mod_usertrack",
@@ -160,5 +160,7 @@ mimetype.assign             = (
 #                                "mod_accesslog" 
 #)
 
+# Includes
+include "conf.d/*.conf"
 
 

WebServer/style.css

@@ -7,7 +7,7 @@ body {
 	margin-left: 180px;
 	margin-right: 20px;
 	margin-top: 20px;
-	margin-bottom: 60px;
+	margin-bottom: 20px;
     font-family: Lucida Console, Monaco, monospace;
 }
 
@@ -77,7 +77,7 @@ div.breaker {
 }
 
 /* Links */
-a, a:link, a:visited, .mw-body a.external, .mw-body a.external:visited, .mw-body a.external.text, .mw-body a.external.text:visited, #p-cactions li a, #p-cactions li a:visited, #p-personal li a:link, #p-personal li a, #p-personal li a:visited, #p-personal li a:link { 
+a, a:link, a:visited, .mw-body a.external, .mw-body a.external:visited, .mw-body a.external.text, .mw-body a.external.text:visited, #p-cactions li a, #p-cactions li a:visited, #p-personal li a:link, #p-personal li a, #p-personal li a:visited, #p-personal li a:link,  a[class^="preftab-"], .client-js #preftoc a { 
 	color: #F00; 
 	text-decoration: none;
     background-color: #000;
@@ -222,7 +222,7 @@ html .thumbimage {
     border: none;
 }
 .mw-wiki-logo { 
-    background-size: 100%;
+    background-size: auto 140px;
 }
 #p-logo a, #p-logo a:hover, #p-logo a:visited {
     width: 140px;
@@ -231,10 +231,10 @@ html .thumbimage {
 .diffchange {
     color: #000;
 }
-html .thumbimage {
+html .thumbimage, .client-js #preftoc li.selected {
     border: none;
 }
-div.thumbinner, td.diff-context, table.wikitable, .mw-body, .editOptions, div.pBody, #p-cactions .pBody, #p-personal .pBody, div#footer, .mw-search-profile-tabs, div#column-content, div#globalWrapper {
+div.thumbinner, td.diff-context, table.wikitable, .mw-body, .editOptions, div.pBody, #p-cactions .pBody, #p-personal .pBody, div#footer, .mw-search-profile-tabs, div#column-content, div#globalWrapper, div#mw-content-text, textarea.mw-ui-input, input.mw-ui-input, #preferences {
     background: #000;
     background-color: #000;
     background-image: none;
@@ -1146,7 +1146,7 @@ div#cgit table.ssdiff td.space div {
 	min-height: 3em;
 }
 
-div#cgit .highlight .s, div#cgit .highlight .s1,  div#cgit .highlight .s2,  div#cgit .highlight .se { 
+div#cgit .highlight .s, div#cgit .highlight .sb, div#cgit .highlight .s1,  div#cgit .highlight .s2,  div#cgit .highlight .se { 
     background-color: #000;
     color: #0F0;
 }
@@ -1155,3 +1155,7 @@ div#cgit .highlight .si {
     background-color: #000;
     color: #0FF;
 }
+
+div#cgit table.diff td div.hunk { 
+    color: #AA9;
+}